某机房管理系统破解记录:
peid查壳,ASPack 2.12 -> Alexey Solodovnikov 手动脱壳,修复,保存server11,deiphl写的。
OD载入脱壳程序server11,因为程序是重启验证型的,并且用户名和密码都保存在HKEY_USER\software\aotesoft\atcommng下,所以查找字符串software\aotesoft\atcommng,有两处,分别双击进入,并在段首下断,然后F9运行!程序停在:
007A3E18 55 push ebp
007A3E19 68 CA497A00 push server11.007A49CA
007A3E1E 64:FF30 push dword ptr fs:[eax]
007A3E21 64:8920 mov dword ptr fs:[eax],esp
007A3E24 8B83 6C030000 mov eax,dword ptr ds:[ebx+36C]
再单步F8,
007A3F00 B8 484F7D00 mov eax,server11.007D4F48
007A3F05 8B55 FC mov edx,dword ptr ss:[ebp-4]
007A3F08 E8 B316C6FF call server11.004055C0 ; 读取用户名xtxie放入EDX
007A3F0D 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
007A3F10 BA 404A7A00 mov edx,server11.007A4A40 ; code
007A3F15 8B06 mov eax,dword ptr ds:[esi]
007A3F17 E8 10E5CAFF call server11.0045242C
007A3F1C 8B06 mov eax,dword ptr ds:[esi] ; 读取假注册码1234567放入EAX
007A415E 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-1AC]
007A4164 33C0 xor eax,eax
007A4166 8A06 mov al,byte ptr ds:[esi]
007A4168 BA 02000000 mov edx,2
007A416D E8 3E6FC6FF call server11.0040B0B0
007A4172 8B95 54FEFFFF mov edx,dword ptr ss:[ebp-1AC]
007A4178 8D45 EC lea eax,dword ptr ss:[ebp-14]
007A417B E8 C416C6FF call server11.00405844
007A4180 46 inc esi
007A4181 4F dec edi
007A4182 ^ 75 DA jnz short server11.007A415E //循环计算堆栈 4F88D77DB5F5B77F97C219F21BD1E6B7
007A41CA /0F85 DF040000 jnz server11.007A46AF -->jnz server11.007A4546
007A453B /0F85 D2000000 jnz server11.007A4613 -->nop
然后找到
007ABC0E /0F85 95000000 jnz server11.007ABCA9 -->jmp
007ABC14 |33D2 xor edx,edx
007ABC16 |8B83 6C030000 mov eax,dword ptr ds:[ebx+36C]
007ABC1C |8B08 mov ecx,dword ptr ds:[eax]
007ABC1E |FF51 64 call dword ptr ds:[ecx+64]
007ABC21 |33D2 xor edx,edx
007ABC23 |8B83 00030000 mov eax,dword ptr ds:[ebx+300]
007ABC29 |8B08 mov ecx,dword ptr ds:[eax]
007ABC2B |FF51 64 call dword ptr ds:[ecx+64]
007ABC2E |8B83 F8020000 mov eax,dword ptr ds:[ebx+2F8]
007ABC34 |8B40 34 mov eax,dword ptr ds:[eax+34]
007ABC37 |E8 9CFBCEFF call server11.0049B7D8
007ABC3C |8BF0 mov esi,eax
007ABC3E |4E dec esi
007ABC3F |85F6 test esi,esi
007ABC41 |7C 1E jl short server11.007ABC61
007ABC43 |46 inc esi
007ABC44 |33FF xor edi,edi
007ABC46 |8B83 F8020000 mov eax,dword ptr ds:[ebx+2F8]
007ABC4C |8B40 34 mov eax,dword ptr ds:[eax+34]
007ABC4F |8BD7 mov edx,edi
007ABC51 |E8 92FBCEFF call server11.0049B7E8
007ABC56 |33D2 xor edx,edx
007ABC58 |E8 A7FACEFF call server11.0049B704
007ABC5D |47 inc edi
007ABC5E |4E dec esi
007ABC5F ^|75 E5 jnz short server11.007ABC46
007ABC61 |8B83 54030000 mov eax,dword ptr ds:[ebx+354]
007ABC67 |8B80 2C020000 mov eax,dword ptr ds:[eax+22C]
007ABC6D |33D2 xor edx,edx
007ABC6F |E8 C0A6CBFF call server11.00466334
007ABC74 |8BD8 mov ebx,eax
007ABC76 |BA 28BD7A00 mov edx,server11.007ABD28 ; -----
007ABC7B |8BC3 mov eax,ebx
007ABC7D |E8 26A1CBFF call server11.00465DA8
007ABC82 |8B43 08 mov eax,dword ptr ds:[ebx+8]
007ABC85 |BA 38BD7A00 mov edx,server11.007ABD38 ; ----
007ABC8A |8B08 mov ecx,dword ptr ds:[eax]
007ABC8C |FF51 38 call dword ptr ds:[ecx+38]
007ABC8F |8B43 08 mov eax,dword ptr ds:[ebx+8]
007ABC92 |BA 28BD7A00 mov edx,server11.007ABD28 ; -----
007ABC97 |8B08 mov ecx,dword ptr ds:[eax]
007ABC99 |FF51 38 call dword ptr ds:[ecx+38]
007ABC9C |8B43 08 mov eax,dword ptr ds:[ebx+8]
007ABC9F |BA 48BD7A00 mov edx,server11.007ABD48 ; 对不起,您的序列号是非法的!
小结:本破解两个关键之处:1、0007A41CA /0F85 DF040000 jnz server11.007A46AF -->jnz server11.007A4546
2、007ABC0E /0F85 95000000 jnz server11.007ABCA9 -->jmp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
